A vulnerability was found in Safari that leaked the Google account name, a problem was reported to Apple, but it remains unsupported

Fingerprint JS , which provides an API for identifying fingerprints and online scams, points out that Safari, a genuine Apple browser, has a vulnerability that allows Google account information to be leaked to any website.

Exploiting IndexedDB API information leaks in Safari 15

Safari 15 bug can leak your recent browsing activity and personal identifiers --The Verge

The vulnerability in question exists in the IndexedDB API , an API for storing data in the browser newly installed in Safari 15, the latest version of Safari. IndexedDB API is a browser API for client-side storage designed to hold large amounts of data and is a very common API supported by all major browsers, not just Safari. The IndexedDB API is a low-level API that makes it easy for many developers to use.

The IndexedDB API is also designed to adhere to the same-origin policy. This policy restricts one origin from interacting with data collected by another. In other words, the IndexedDB API is basically designed to be accessible only to the website that produces the data. For example, if you are using your email account in one tab and open a malicious web page in another tab, the same-origin policy will prevent information about your email account from being stolen by the malicious web page. That's why.

However, Fingerprint JS points out that IndexedDB API does not comply with the same-origin policy in Safari 15 running on all operating systems such as macOS, iOS, and iPad OS. Every time a website interacts with a database, it creates a new (empty) database with the same name in every activeframe tab window in the same browser session. In other words, other websites do not share the contents of the database created by another website, but they are now able to browse the name of the database. This 'database name' may include the user ID, and according to FingerprintJS, all services that use a Google account, such as YouTube, Google Calendar, and Google Keep, use the user ID of the Google account as the name of the database. It seems that it is.

Regarding what is wrong with leaking database names, FingerprintJS said, 'This vulnerability clearly leads to a violation of user privacy. This vulnerability allows any website to be accessed by users. In addition, in some cases, the name of the database is the same as the user ID, which leads to the identification of the user. '' For example, in the case of Google's user ID, use the

Google API. You can also get the public personal information of the account owner. The information exposed by these APIs will be controlled by many factors, but at least you will have access to your profile picture. ' indicate.

According to FingerprintJS, there is nothing that users can do to avoid this vulnerability at the time of article creation, and even if you are using Safari's private browsing mode, the name of the database is missing.

FingerprintJS reported the vulnerability to Apple on November 28, 2021, but the Safari update to fix it has not been released yet. Also, overseas media The Verge has asked Apple to comment on this matter, but no response was received at the time of writing the article.

in Software,   Security, Posted by logu_ii